skip to main content

10 Tips to Help You Fulfill Your Responsibilities with Your Employee Benefits Plan Audit

10 Tips to Help You Fulfill Your Responsibilities with Your Employee Benefits Plan Audit

The new audit requirements for Employee Benefit Plan Audits represent the most significant changes impacting Employee Benefit Plans since Congress enacted the Employee Retirement Income Security Act (ERISA) in 1974 to help protect retirement benefits for workers covered by private pension plans.

The new standard (SAS No. 136) replaces the “limited-scope audit” with the ERISA Section (a)(3)(C) audit and prescribes certain performance requirements.  The audit requirement changes the form and content of the auditor’s report and expands the responsibilities of both the auditor and the plan sponsor.

Plan sponsors are grappling with these expanded responsibilities.  UHY has developed 10 tips to help you fulfill your responsibilities, as well as help create a seamless audit experience.

  1. Know the plan’s provisions

Review documents including the prototype or volume-submitter document (if not specifically designed) as well as the adoption agreement and amendments. You also should review the plan’s eligibility, compensation, contributions, and benefits payment provisions.

If the plan is using a prototype or volume submitter plan document, the plan document will be amended and restated in 2021 or at the latest by the end of 2022 to bring the Plan into compliance with the legislative and regulatory changes set forth in IRS Notice 2017-37 (i.e., Cycle 3 restatement) which would include the amendments due to the Secure Act, the CARES Act and the Consolidated Appropriations Act (if not previously done)).

  1. Avoid unnecessary complexity of plan provisions

A plan with straightforward provisions reduces the risk of error while complexities can increase that risk. Examples of complexities include compensation exclusions, employer contributions, and vesting rules. If complexities exist, be aware of them and add controls to mitigate the risk of operational errors.

  1. Automate processes and calculations

This includes enrollment, payroll calculations, and calculations of contributions, as well as email notifications and employer contributions. You should also consider ways to streamline the interface from your 401(k) provider to your payroll provider. Put controls and procedures in place that address what could go wrong.

  1. Create checklists for compliance and documentation

Store or maintain your suite of plan documents together, including the prototype plan or volume submitter document, adoption agreement, and summary plan description, as well as the current fidelity bond, latest IRS determination letter and minutes from the governing body or from discussions with investment advisors. Review your ERISA fidelity bond coverage limit to make sure it is sufficient or consider adding an “inflation guard” which automatically raises the coverage to meet the requirements of ERISA.

For participant data, keep a checklist of information needed for each employee that includes beneficiary forms, email notifications, and required communications with participants. Create another checklist for distributions that includes termination, participant loans, and hardship withdrawals.

  1. Review systems and organization controls (SOC) reports from service providers

Service providers engage CPA firms to perform a review of and test their internal controls. As you review the reports, look for the scope of the audit opinion issued to determine if there are any exceptions in the testing results. You should also look to answer these questions: 

  • Do we have controls to ensure the census data provided to the service provider is accurate?
  • Do we have controls in place to review the transaction confirmations from the service provider to determine if there are any discrepancies?
  • Do we have a control in place to ensure that changes are communicated to the service provider?
  1. Reconcile contributions to payroll reports

This should be done on a payroll-by-payroll basis to determine if contributions are missing and help avoid delinquent contributions, which leads to additional costs. Administrators should also periodically match the type of employee contribution into the remittance file. This helps ensure that loan repayments do not suddenly stop. Some CFOs reconcile on a weekly basis after each pay period to make sure that differences or issues are immediately addressed and compare the total remittances at the end of the year to the W3.

  1. Review timeliness of participant contributions and loan repayments

The DOL has established reporting requirements included in the audited financial statements and Form 5500. It also has procedures for employers to reimburse participants for lost earnings on days those contributions were not invested timely. Contributions must be remitted to the plan custodian as soon as administratively possible, and remittances must be consistent. Do not remit employee contributions in one day, then each pay period at different intervals because the DOL could consider anything over one day as late. If you make a mistake, fix it to avoid possible penalties and interest.

  1. Review plan financial reports
  • Contributions: Review reports from the trustee/custodian on a routine basis to ensure these are remitted in a timely manner.
  • Distributions: Maintain proper approvals and supports and pay attention to compliance with plan provisions regarding hardship distributions and small cash-outs.
  • New Loans: Enter into the payroll system to ensure repayments start at the proper time.
  • Investments and returns: Meet with investment advisors once/twice per year to determine what needs to be added to and removed from a watch list.
  1. Document plan oversight and decisions

When documenting meetings with service providers, note the date, who attended, and a brief list of discussion items. You should also document discretionary contributions, investment selections, and service provider expenses and reviews. Other items to document are discretionary contributions, investment selections, and service provider expense and reviews. Provide your auditor with a copy of these minutes.

  1. Stay alert for new risks

ERISA attorneys advise that the Employee Benefits Security Administration (EBSA) has a cybersecurity audit questionnaire that addresses cybersecurity risk mitigation. The investigator has asked plan sponsors for its IT policy, cybersecurity risk insurance policy, and evidence of its TPA cybersecurity risk insurance coverage.

Investing in bitcoin for retirement plans is being considered by some companies. If you are an administrator of a 401(k) plan, it is best to meet with advisory teams to become aware of all possible risks.





Complete the form below to speak with one of our professionals


Hide Firm Disclaimer


UHY LLP is a licensed independent CPA firm that performs attest services in an alternative practice structure with UHY Advisors, Inc., and its subsidiary entities. UHY Advisors, Inc.’s subsidiaries, including UHY Consulting, Inc., provide tax and business consulting services through wholly owned subsidiary entities that operate under the name of “UHY Advisors” and “UHY Consulting”. UHY Advisors, Inc., and its subsidiary entities are not licensed CPA firms. UHY LLP, UHY Advisors, Inc. and UHY Consulting are U.S. members of Urbach Hacker Young International Limited, a UK company, and form part of the international UHY network of legally independent accounting and consulting firms. “UHY” is the brand name for the UHY international network. Any services described herein are provided by UHY LLP, UHY Advisors and/or UHY Consulting (as the case may be) and not by UHY or any other member firm of UHY. Neither UHY nor any member of UHY has any liability for services provided by other members.

On this website, (i) the term "our firm", "we" and terms of similar import, denote the alternative practice structure conducted by UHY LLP and UHY Advisors, Inc. and its subsidiary entities, and (ii) the term "UHYI" denotes the UHY international network, in each case as more fully described in the preceding paragraph.